--- title: "Protect a parked domain without email" date: 2023-01-05T19:15:00+01:00 draft: false tags: ["How-To","Tech","email"] author: "9x0rg" hidemeta: false ShowReadingTime: true ShowPostNavLinks: true showtoc: false cover: image: "/images/" alt: "" caption: "" --- ## DNS entries for a parked domain that does not send emails but has a website | Hostname | Type | TTL | Data | |:------------:|:----:|:----:|:-------------:| | `@` | `MX` |`1800`|`0 .` | | `@` | `TXT`|`1800`|`"v=spf1 -all"`| |`*._domainkey`| `TXT`|`1800`|`"v=DKIM1; p="`| | `_dmarc` | `TXT`|`1800`|`"v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s;fo=1;"`| ### DNS entries explained #### Null MX Explicitly configure an 'empty' MX record according to [RFC7505](https://tools.ietf.org/html/rfc7505). ``` @ 1800 IN MX 0 . ``` #### SPF Set an an empty policy and a hard fail. ``` @ 1800 IN TXT "v=spf1 -all" ``` #### DKIM ``` *._domainkey 1800 IN TXT "v=DKIM1; p=" ``` #### DMARC Set DMARC policy to reject emails[^1] ``` _dmarc 1800 IN TXT "v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s;fo=1;" ``` or Set DMARC policy to reject mails, but allow reporting to take place[^2] ``` _dmarc 1800 IN TXT "v=DMARC1; p=reject; rua=mailto:rua@example.com; ruf=mailto:ruf@example.com" ``` ## DNS entries for a parked domain that does not send emails * Don't use an `A` or `AAAA` record for parked domains; * Don't redirect from parked domain `example.com` to the used domain `example.org`, since this encourages users to keep using the parked `example.com`. If a redirect is desirable, make sure to use the proper redirect order in order for HSTS headers to remain effective: * redirect `http://example.com` to `https://example.com` * when using `HTTPS`, redirect `https://example.com` to `https://example.org`. [^1]: **Credit:** akc3n’s [page of notes](https://akc3n.page/gists/#dns) [^2]: **Credit:** the [Dutch Internet Standards Platform](https://github.com/internetstandards/toolbox-wiki/blob/main/parked-domain-how-to.md#what-is-a-parked-domain-)